00:00:00 - Welcome to configuring VLANs and VTP Part 2.
00:00:05 - I plan on picking up right where we have left off where we have the switches
00:00:07 - added to the network, trunks configured, VTP is running, VLANs
00:00:11 - are replicating. Now, let's move into some of the VLAN architectural
00:00:14 - design, and I have added one more topic that I'd like to talk about
00:00:18 - in this video because it ties right in, and that is configuring routing
00:00:21 - between VLANs once we have the VLANs set up and configured.
00:00:26 - So I have enhanced our network diagram from the previous video,
00:00:29 - and I went ahead and notated where the trunks were because those are
00:00:32 - now hard coded in the network. All the other ports are considered
00:00:35 - access ports. You'll notice down here, I mentioned the VLANs that are in
00:00:39 - use, those are the ones that we created in the last video.
00:00:42 - One is the default VLAN and at this point everything
00:00:46 - is assigned to the default VLAN, everything is in VLAN 1.
00:00:49 - Down here, I have the sales VLAN, marketing
00:00:52 - VLAN, and engineering VLAN that is replicated between switch
00:00:55 - 1, 2 and 3, all on this network.
00:00:59 - Now as of right now, those are there and the switches have
00:01:01 - them, but they're not doing anything. So one of the last steps
00:01:06 - that we have to take is to assigning the ports to the VLAN.
00:01:09 - Now, before I do that I want to do a little test. I want to
00:01:12 - bring up a command prompt here. Let me just, I'll
00:01:15 - do a start, run, CMD. Got my command prompt up. Now, this computer
00:01:21 - right here is the 192.168.1.50.
00:01:25 - You can see I have the ethernet adapter lab. This is the IP address
00:01:29 - that I am using. It is, the, the computer I'm showing you right
00:01:31 - now is this guy right here, 1.50. So as of right now that
00:01:36 - PC is able to ping this PC, and well anything else in the network.
00:01:40 - Let me just verify that.
00:01:44 - I will do a ping 192.168.1.20. That's the
00:01:47 - other PC. Sure enough, I am able to ping. That's, that's reaching
00:01:50 - from here to here. Let's just do a couple more test pings.
00:01:54 - I'm going to ping from here to 192.168.1.2.
00:02:00 - Sure enough that is successful. And one more, I'm just going
00:02:03 - to do to 192.168.1.1, right
00:02:07 - up here.
00:02:10 - Okay, good. That is all verified working because every port
00:02:14 - is assigned to the same VLAN. So let's think about network
00:02:18 - architecture here. As soon as I type in ping 192.168.1.20,
00:02:21 - this sends out an ARP broadcast, right, to the entire
00:02:26 - VLAN saying, hello, who is 192.168.1.20?
00:02:30 - This computer receives the broadcast, responds and says, that's me, here's
00:02:33 - my MAC address, and now that PC comes over and pings the device
00:02:37 - and is able to reach that device. So we're good. We are verified
00:02:41 - working between our connections. Now, let's move down to step
00:02:45 - number 4 here, assigning ports to the VLAN. This switch is attached
00:02:49 - or sorry, this is PC is attached to switch number 3 on Fast Ethernet
00:02:53 - 0/A. So I want to jump over there.
00:02:58 - Go to switch 3. I will do a show VLAN, and I can see
00:03:03 - that this one still does have the
00:03:06 - three VLANs we created; sales, marketing and engineering. However,
00:03:09 - everything is assigned to Fast Ethernet 0/8 or sorry,
00:03:12 - to VLAN 1, including fast ethernet 0/8. I will do a show run
00:03:16 - interface fa0/8, and I can see this is set up to switch
00:03:20 - port mode access. It's an access port that is a non-trunking
00:03:25 - device. So, what I'm going to do is assign that. Let's move
00:03:29 - that PC, the one I was just pinging from, into the sales VLAN.
00:03:34 - The way we do that is get into global config mode, into interface Fast
00:03:38 - Ethernet 0/8. I'm going to type in,
00:03:42 - well we've already, usually I'll type in switch port
00:03:45 - mode access, but we've already got that in there so that's
00:03:49 - okay. So I'll type in switch port access. Since this is an access port, it is going to
00:03:54 - access and then I just type in VLAN and what number of VLAN I would
00:03:58 - like it to access. So I could say the VLAN 10, enter. Now at that
00:04:03 - point, I have now moved this PC
00:04:08 - into a new VLAN and we're going to be building this network diagram
00:04:10 - as we go. It's going to stay there. We have this PC that is now
00:04:14 - in VLAN 10. Everything else is in VLAN 1. Now at this
00:04:18 - point, I'm going to just bring that command prompt right back up again,
00:04:22 - the one I was doing all those test pings from. Let's see if
00:04:25 - I can ping 192.168.1.20.
00:04:28 - Again, the PC right next to it.
00:04:32 - Nothing. Let's see, destination host is unreachable, not going to
00:04:37 - happen. Timed out. Not, you know, the, the ping is failing.
00:04:41 - Let's hit the up arrow and try pinging 1.1.
00:04:43 - Nothing. Control-C, 1.2, nothing. I can tell you, nothing
00:04:49 - is going to work because we have segmented this into a separate VLAN.
00:04:53 - And remember when we do that, a VLAN equals a subnet
00:04:56 - equals a broadcast domain. That PC even thought it's plugged into the same switch
00:05:01 - is completely isolated from the network, okay.
00:05:06 - Now, what I'm going to do just, just to prove this, as of right now,
00:05:10 - I'll jump back here, do that test ping to 1.20 one more time.
00:05:14 - We can see it's failing because that PC is in a separate VLAN.
00:05:17 - So when they ARP broadcasts, remember it's a broadcast that goes out,
00:05:20 - it goes to everything in VLAN 10, which is just this PC.
00:05:23 - So it goes nowhere. Nobody receives the ARP message. Now, what if
00:05:27 - we add this PC
00:05:33 - into VLAN 10 as well? Well, let's check it out and see
00:05:39 - what happens. I'm going jump over to my
00:05:43 - Tera Term connection here, Control-Shift-6 X back to my access server switch 2.
00:05:47 - Now, that PC, the 1.20 is plugged into
00:05:52 - Fast Ethernet 0/8 on switch 2 as well. Now, that one I
00:05:56 - have a remote connection to. I'm sitting on 1.50. The
00:05:59 - PC at 1.20 is remotely controlled so I'll bring
00:06:02 - up that prompt. That's the remote session with the 1.20.
00:06:06 - I will do an IP config just to verify. There it is, 192.168.1.20.
00:06:09 - I am gonna ping. Let's do 192.168.1.1.
00:06:13 - Good because we're still on the,
00:06:17 - the VLAN 1 on this PC. 1.2, good, life is peachy. Now, I am going
00:06:21 - to hit the up arrow and ping 1.50, verified dead
00:06:25 - because that is the PC that is in a separate VLAN. So let's
00:06:28 - do this, I'm going to minimize this guy down, bring up my
00:06:33 - switch 2, go into interface, oh, let me do a show VLAN just to
00:06:38 - verify. We've got the sales VLAN here as well. I'm going to go into
00:06:42 - interface Fast Ethernet 0/8 and do switch port
00:06:48 - access VLAN 10. Done. What that has done is now moved this
00:06:55 - computer into the same VLAN as this PC. Now, remember these
00:06:59 - are trunk ports, so if this one sends an ARP broadcast saying,
00:07:03 - hey, who is this certain IP address?; that will cross the trunk with a
00:07:06 - 802.1q tag saying, I'm a part of VLAN 10. Hits this, travels
00:07:11 - down this trunk, and will come out to every port that is in
00:07:13 - VLAN 10, which should be this one and it should receive that ARP
00:07:17 - broadcast. So now that I've transitioned that over to
00:07:21 - VLAN 10,
00:07:23 - I will bring up that remote session again. I will hit the up arrow, you can see
00:07:26 - before it was failing on the ping to 1.50. Hit the
00:07:29 - up arrow, do it again, and now we are successful. We can see that
00:07:33 - those, those two PCs are now able to reach each other, but
00:07:36 - look at what happened. As soon as I try and ping 1.2,
00:07:40 - dead now. Control-C, 1.1, dead. I think I've proven my
00:07:45 - point that when you segment into separate VLANs, you are really segmenting
00:07:49 - networks. Those are now on a completely separate network. So
00:07:56 - remember I have said, a VLAN equals a subnet equals a broadcast domain.
00:08:00 - What I want to do is come up with a scheme to make routing
00:08:06 - possible. The first thing I want to do is I want to transition this
00:08:09 - guy over to VLAN 20 just because it would be good to have
00:08:14 - a couple of VLANs going. We can set up routing between
00:08:17 - all of them to allow VLANs to reach each other. So let me
00:08:20 - bring up my prompt. Just hit the up arrow. We're still on that same switch,
00:08:24 - and I'll just say, you are in VLAN 20.
00:08:27 - Do a show VLAN and I can see there's my Fast Ethernet 0/8
00:08:31 - segmented into VLAN 20. So with that in place, we've got
00:08:35 - these two computers that are totally isolated from the rest. They can't ping
00:08:39 - each other. They can't ping anything in VLAN 1 up here.
00:08:43 - So we are dead in the water. Now, what we need to do any
00:08:46 - time we create VLANs is do some subnetting. The most common
00:08:50 - thing I see, and I think it's a great idea,
00:08:54 - is to create subnets that match VLANs number,
00:08:58 - VLAN numbers. Let me, let me talk, show you what I'm talking about. I have got VLAN 1
00:09:02 - right now and VLAN 1 is 192.168.1.0.
00:09:07 - I'll type all this up as we perfect our
00:09:12 - network diagram so it looks prettier. So that's VLAN 1. I have got VLAN 10
00:09:15 - which is currently, you know, assigned the IP address, 192.168.1
00:09:22 - but you can't have that. Every VLAN needs
00:09:25 - to be a subnet, so we will have this one be
00:09:28 - 192.168.10.0/24. That's what
00:09:33 - I mean when I'm talking about VLAN numbers equaling the subnet
00:09:37 - numbers. I kind of like, like the idea of using a
00:09:40 - 10 in the address so I can quickly relate VLAN 10 to that.
00:09:44 - VLAN 20;
00:09:47 - we'll make 192.168.20.0/24, okay.
00:09:52 - So we've got this new subnetting
00:09:57 - scheme that we've got in place. I'll need to go in and change all the
00:09:59 - IP addresses. I might as well do that here. At this point, you
00:10:04 - probably know how to change IP addresses. Okay, you know how to
00:10:07 - change IP addresses, but I'll do it here just because I've got
00:10:11 - the recording going. This is Windows Vista. So maybe in Windows
00:10:14 - Vista you haven't changed IP addresses. The manage network connections
00:10:18 - because right now I've got my wireless and local. I'll go to the properties for the
00:10:24 - local. Now, this one is going to move to VLAN 20. So we'll say this is
00:10:29 - 192.168.20.20. Now, just
00:10:33 - change them over to a different subnet. Now, I haven't set up a
00:10:36 - default gateway yet, but if I do, I'm gonna make it 20.1
00:10:39 - that it, it's able to use. Click OK, okay on there and we've got
00:10:43 - that IP address changed. I will change the IP address on my computer later
00:10:46 - because there's some tricks I need to do on that because
00:10:48 - that's what I'm recording on so it will kind of hold up my recording
00:10:51 - if I do that. So this one is now going to be changed over to 20.20.
00:10:55 - And when we are setting up routing between VLANs
00:10:59 - we really have three separate options.
00:11:03 - Those three options are, number one; using a separate port
00:11:07 - to each VLAN, two, a router-on-a-stick. That is its technical
00:11:12 - name, not a, it's like a corn dog router. It's, that's, I'm not making
00:11:16 - that up. You can Google that and you'll find router-on-a-stick
00:11:18 - configurations. And third is layer 3 switching. Now, at the
00:11:23 - CCNA level, before I describe each one of these, you are expected
00:11:27 - to do one and two from this list. The CCNP will actually
00:11:33 - move into layer 3 switching. But I'm telling you, layer 3
00:11:37 - switching is so easy. I think I am gonna show it to you in this video. So first off, separate
00:11:42 - port to each VLAN. Now, you can see that we've got a little
00:11:46 - example here. We've got two VLANs, VLAN 50 and 51.
00:11:48 - This computer up here will say 1.50 is assigned
00:11:53 - to VLAN 50, and this computer right here, 2.50, is
00:11:57 - assigned to VLAN 51.
00:11:59 - Now, we could go to our router and plug it in to a switch, put one
00:12:05 - port into VLAN 50 and, you know, assign that port to VLAN 50
00:12:08 - right here on the switch. Put the other port into VLAN 51,
00:12:11 - and assign that port to that respective VLAN. Configure
00:12:15 - these with respective IP addresses from each subnet. For instance,
00:12:19 - 1.1 is from the subnet we're using here for the
00:12:22 - 1.50 and 2.1 is from this subnet we're
00:12:25 - using here for 2.50. So what we would do is set
00:12:29 - the default gateway on this PC to that IP address that, you know,
00:12:35 - within its VLAN. The default gateway in here would be this IP address.
00:12:39 - So if 192.168.1.50 pinged 2.50, it would actually
00:12:43 - go out of the switch, reach the router on Fast Ethernet 0/0,
00:12:47 - the router would to look at it and say, oh, well, you're going
00:12:50 - out this interface, into the same switch on VLAN 51
00:12:53 - and come out and ping this device. Now, the problem with doing
00:12:58 - a separate port to each VLAN is it's just not practical
00:13:02 - nor is it scalable. Meaning the more VLANs you add, it is not
00:13:06 - uncommon in, in companies to have 50, 60 different VLANs.
00:13:11 - I mean there's just not a router that exists that has 50
00:13:14 - or 60 different Fast Ethernet ports, and if it did, it would just
00:13:17 - be insanely expensive. So what, you know, it's, it's first off not
00:13:22 - really practical interface wise. It's just ugly wiring wise
00:13:25 - because you're wasting a switch port for every single router
00:13:29 - connection that you need to have and so on. So it works, it's doable
00:13:33 - but not practical. That's why CISCO came out with a router-on-a-stick.
00:13:37 - That's, that's the name. What it does is configure a trunk
00:13:43 - connection to the router. Now, remember a trunk connection forwards
00:13:47 - all VLAN traffic. So when this computer wants to reach
00:13:51 - its default gateway, you know, 1.1, it will come out across
00:13:54 - the trunk. When this one wants to reach its default gateway, it will come
00:13:58 - out the trunk as well. Now, there are some configuration thoughts
00:14:02 - that have to go into this as in, you know, what IP address are you going to
00:14:05 - give that interface and how are you going to set that all
00:14:07 - up. But that, I've got a separate slide just for that. So I'm going to
00:14:10 - save that discussion till then. The last kind of method that
00:14:15 - we can use to route between VLANs is a layer 3 switch.
00:14:20 - What this is is a router inside of a switch. You'll,
00:14:24 - you'll hear this term slung around all over the place, layer 3
00:14:27 - switching, layer 3 switching. A lot of people say multilayer
00:14:29 - switching. It is a router inside of the switch. It's, it's like
00:14:33 - this concept, I wish I could animate this and imagine me putting
00:14:36 - my hand right here and just going err-ugh and smooshing that
00:14:40 - router into the switch because that's exactly what a layer
00:14:43 - 3 switch is, a router inside of a switch. Instead of
00:14:47 - having an outside router,
00:14:50 - we create VLAN interfaces on that layer 3 switch
00:14:56 - that is reachable by everything inside of that VLAN. So
00:15:01 - for example, if this, this computer right here is assigned to VLAN 51
00:15:05 - and I chose 192.168.2.0 as the
00:15:08 - subnet for VLAN 51, well I could create a virtual interface
00:15:13 - on this switch called interface VLAN 51 and give it an
00:15:17 - IP address which is immediately reachable by this PC and
00:15:21 - it can come into that switch just like it would be, you know,
00:15:23 - coming into this router right here or coming into this router right
00:15:26 - here and say, I would like to reach, you know, this other PC? And the
00:15:30 - switch would say, great, let me just switch over here to the separate VLAN, and now
00:15:33 - you're able to reach that separate subnet. You know, while we're
00:15:36 - here, I'm, I'm really going to spend a lot of time on the router-on-a-stick
00:15:39 - configuration because that's what the CCNA exam
00:15:42 - expects you to do, and you'll see a lot in, in lab environments and, and even
00:15:47 - in the real world. So let me show you the layer 3 switching
00:15:51 - right now. I'm going to, this is kind of on the fly so
00:15:55 - forgive me if it completely blows up. I'm going to bring out our network diagram
00:15:59 - back over. This switch right here is a layer 3 switch. And just
00:16:04 - to give you a general idea, these are layer 2 switches.
00:16:08 - They don't have layer 3 capabilities. So layer 2 switch, general
00:16:12 - price of about, you know, approximately,
00:16:16 - we'll say 400 bucks for a brand new 24-port
00:16:20 - layer 2 managed switch. Now, that is a pretty decent price. Layer
00:16:24 - 3 switch, for the same amount of port, same speed, 100 meg per second,
00:16:26 - layer 3 switch is probably at about
00:16:31 - 2,400 bucks, they're the same bucks. It costs that much
00:16:35 - more because it's a huge software upgrade that allows your switch
00:16:39 - to do routing capabilities. So
00:16:43 - switch number 1 is a layer 3 switch. So let me show you
00:16:46 - how you would set one up. I'm going to grab my configuration window.
00:16:49 - Like I said, it's kind of on the fly. So as of right now,
00:16:56 - let's see. Is this going to work? Yeah, we'll see, hmm. Down here I have
00:17:02 - VLAN 20, right, which I went at and re-assigned this, this
00:17:06 - PC in that VLAN. 192.168.20.20
00:17:09 - is its IP address. Now, as of right now that's totally isolated
00:17:13 - from the rest of the network because everything is assigned to
00:17:15 - VLAN 1, which is 192.168.1.0.
00:17:19 - Well, if I was configuring a layer 3 switch, what I could do
00:17:23 - is go up to switch 1, let me do that right now,
00:17:27 - and I am going to do a show IP interface brief. Now, you can see it has
00:17:32 - one interface in VLAN 1, 192.168.1.10.
00:17:35 - That's its IP address we're using to telnet to
00:17:38 - it and so on. But watch what I am gonna do.
00:17:42 - I am going into interface VLAN 20. Now, remember when
00:17:47 - we created VLANs, right, in the previous video, we didn't type interface
00:17:52 - VLAN 20, we just typed in VLAN 20. That creates a
00:17:54 - VLAN. Interface VLAN 20 creates a new layer 3 interface
00:18:00 - for that VLAN. Let me move on with this configuration, and then
00:18:03 - I will explain how it works. I'm going to give this, the IP address,
00:18:07 - 192.168.20.1.
00:18:11 - 255.255.255.0, okay.
00:18:15 - Now, I am gonna do a show, show IP interface brief now that I have done that and
00:18:20 - notice we have got a switch with two VLAN interfaces, VLAN 1 and VLAN 20.
00:18:26 - Now, there's one more command I need to do on a,
00:18:29 - on a switch. This is the layer 3 command,
00:18:34 - IP routing. What that does is that it says, turn on the routing
00:18:38 - capabilities of the switch. It is like a big light switch inside of
00:18:41 - that switch that just went click and it's now able to run routing
00:18:44 - capabilities. So remember this, this PC that wasn't able to reach
00:18:49 - anything before? Let me go back to it. Where is it at? Right here. I'm going to
00:18:54 - bring up a command prompt on that PC.
00:18:59 - It's kind of out of your window, but I'll bring it up right here.
00:19:02 - Do an ipconfig and I can see I have got 192.168.20.20
00:19:06 - is the IP address. Notice the default gateway,
00:19:09 - 20.1. It's the same IP address I gave the layer 3 switch.
00:19:14 - Let me ping it. Hmm, oh, just like, now like I said, this was on the fly.
00:19:24 - But there it is. It just takes a second to respond the first time.
00:19:27 - There we go. We've got the, the ping coming back successfully. So
00:19:31 - 20.1 is responding. Now, who is 20.1? Check it out.
00:19:34 - I am going to type in telnet 192.168.20.1.
00:19:37 - Forgive the characters kind of glitching. This is
00:19:39 - a remote session so it's with the remote PC so it is a little glitchy
00:19:44 - on the graphics. So I telnet over and check out, oh, man.
00:19:48 - Look at where I am, I am on switch 1. Switch 1 is now responding
00:19:52 - to that IP address that I just gave it. So here's the big
00:19:55 - picture. This switch has an IP address in each VLAN.
00:20:00 - 192.168.1.10 is in VLAN 1.
00:20:04 - It also has 192.168.2.1/24
00:20:09 - that is in VLAN 20. Since it's
00:20:13 - a router inside, I can actually go from this PC into the
00:20:19 - switch as my default gateway. The switch gets it on its layer 3
00:20:24 - routed interface and says, well let me route you over to
00:20:26 - VLAN 1. Check it out. I'm going to jump back over to, so where was I?
00:20:31 - This remote session with the PC. I am gonna ping 192.168.20.1,
00:20:35 - again my default gateway.
00:20:38 - Now, let me ping 192.168.1.10.
00:20:43 - No, yes, yes, no. Dah! Failure.
00:20:53 - No, I'm just, it fell apart. I just, I, I thought of something as soon as, as soon as I
00:20:58 - put this together. The problem as of right now is that
00:21:04 - all of these other devices in VLAN 1 don't know that this
00:21:08 - 192.168.20.x subnet exists.
00:21:12 - Meaning I haven't turned on a routing protocol that's advertising
00:21:15 - that to some, everybody else. So if I were to actually do a trace
00:21:18 - route and follow packets, I would be able to see that the
00:21:21 - packets can reach devices in VLAN 1, but because I haven't set
00:21:25 - up true routing to where they know that the 20.x
00:21:29 - subnet exists, that should be 20.1,
00:21:33 - the 20.x subnet exists, they, they don't know
00:21:36 - where to send it back. So the, the, the end to end ping isn't gonna work
00:21:41 - but the concept is still good. I am telling you, this is great. This is,
00:21:44 - it's great stuff. That is how you can configure a layer 3
00:21:48 - switch, which is just adding VLAN interfaces to the
00:21:52 - switch and it's then able to route between them just like, just
00:21:55 - like this except it's all inside of the switch.
00:21:59 - Alright, now that I've shown you how a layer 3 switch works,
00:22:02 - let's talk about how we do it at the CCNA level. Understanding a
00:22:05 - router-on-a-stick. This is a viable method to route between
00:22:10 - VLANs that actually works quite well, and I'll tell you why.
00:22:13 - First, it looks very inefficient, but it actually works very
00:22:16 - well. The
00:22:19 - devices that are plugged into the separate VLANs, we have
00:22:22 - VLAN 50 up here, VLAN 51, and just for the sake of argument,
00:22:26 - VLAN 50 is 192.168.1.0/24
00:22:30 - and VLAN 51 is 192.168.2.0/24.
00:22:34 - So those are the
00:22:38 - subnets that are assigned. These PCs are placed in those VLANs.
00:22:41 - A router-on-a-stick will enable a trunk link between the
00:22:47 - router and the switch, meaning all VLAN traffic is being
00:22:51 - sent. But the problem is, remember I said a VLAN equals
00:22:55 - a subnet. So if a VLAN equals a subnet, what IP address do
00:22:59 - you give the router's interface? The answer is none. The physical
00:23:05 - interface itself does not get a
00:23:10 - IP address. We create sub-interfaces of that interface.
00:23:14 - Now, this is a brand new concept to this track. Sub-interfaces
00:23:19 - allow you to take one interface and break it into many. As a matter
00:23:22 - of fact, let's jump back to our network diagram here,
00:23:26 - which is getting a little messy. I have to clean it up. This router right here, router 2,
00:23:31 - I plan on being a router-on-a-stick. The one requirement that
00:23:35 - you need to have for a router-on-a-stick is it has to be a fast
00:23:39 - ethernet interface or greater. That's why I'm not using router
00:23:42 - 1 is that is a 10 meg interface, just ethernet. That is not allowed
00:23:46 - to do a router-on-a-stick because it needs more bandwidth. There's a lot
00:23:49 - of traffic that will be coming in and out. So with this
00:23:53 - router-on-a-stick concept, we can split that one interface on router 2
00:23:57 - into multiple sub-interfaces that allow router 2 to receive
00:24:01 - packets on one sub-interface and route them right back around
00:24:04 - on another. So let me bring up the configuration window.
00:24:10 - Now, I'm going to open a session to router 2. Oops, I've got my switches open
00:24:15 - right now.
00:24:20 - Ignore that. That's a issue with my access server. So I am going to get into
00:24:24 - router 2, do a show IP interface brief. Now as of right now
00:24:29 - it has an IP address on Fast Ethernet 0/0 which
00:24:32 - is 192.168.1.2.
00:24:36 - That is, that is the known IP address that we've been using on VLAN 1. What I'm
00:24:39 - going to do is step it up a notch and start creating sub-interfaces.
00:24:44 - I'm going to type in interface Fast Ethernet 0/0.,
00:24:50 - and I'm going to hit a question mark.
00:24:52 - Hoo Nelly, look at that, up to 4 billion 294 million
00:24:57 - 670 or 900, a big number, a huge number
00:25:02 - of sub-interfaces. Now, if you actually try to create that many,
00:25:05 - I'm sure your router would eventually run out of memory. The
00:25:09 - point of giving you such a big range is allowing you
00:25:11 - to pick whatever interface number that you want.
00:25:14 - Let, let me jump back to our network diagram here. As a matter of fact, hang on one second.
00:25:19 - I've got a network diagram that I have already pretty done for just what we're
00:25:21 - about to do. I have router 2's Fast, Fast Ethernet 0/0
00:25:26 - that still communicates with VLAN 1. You
00:25:29 - can mentally think VLAN 1 right there. But I'm gonna create
00:25:33 - two sub-interfaces, Fast Ethernet 0/0.10, which will communicate
00:25:38 - with VLAN 10, and Fast Ethernet 0/0.20, which will
00:25:42 - communicate with VLAN 20. Now, I'm going to need to
00:25:45 - configure a trunk port that moves from Fast Ethernet 0/4
00:25:50 - on switch 3 to router 2 in order for this to happen because
00:25:55 - otherwise it's not gonna to send VLAN 10 and 20 traffic
00:25:58 - down to router 2. But before I configure the trunk port, let me get
00:26:01 - router 2 set up the rest of the way. We've got
00:26:06 - right at the, the sub-interface part, so I can type in sub-interface
00:26:10 - Fast Ethernet 0/0.20. As soon as I do that, notice it takes
00:26:14 - me into this subif configuration mode where it's just magically
00:26:19 - created a brand new interface for me. I'll give it the IP address
00:26:22 - 192.168.20.1
00:26:27 - and hit enter. Oh, I can't type these commands out of order. It says, configuring
00:26:33 - IP routing on a LAN sub-interface is only allowed if
00:26:36 - that sub-interface is already part of the an IEEE 802.10,
00:26:39 - IEEE 802.1q or ISL VLAN. Meaning
00:26:44 - I need to tell this router that this sub-interface will respond
00:26:49 - to packets coming for a specific VLAN. The way I do that is I
00:26:54 - type in encapsulation,
00:26:58 - I have to spell it right, encapsulation.1q and then tell it what VLAN it
00:27:02 - responds for, VLAN 20. Now,
00:27:07 - oh, it just gives you a little warning. By the way, if your
00:27:10 - interface doesn't support baby giant frames, maximum MTU, you know,
00:27:14 - and so on, I'll talk about what that message means
00:27:17 - in just a moment. Let me finish this configuration. I've got encapsulation.1q 20
00:27:20 - saying, this sub-interface responds for
00:27:24 - VLAN 20. I will hit the up arrow twice and now assign that IP address
00:27:28 - without any problem.
00:27:30 - Drop back out, type in interface Fast Ethernet 0/0.10.
00:27:35 - Let's create the sub-interface that's going to respond for
00:27:38 - VLAN 10. Hit the up arrow a couple times, get back my command
00:27:41 - for encapsulation.1q 20. Now, let's say, this one is
00:27:45 - 10. Now, just a side note, I don't need to make this sub-interface
00:27:50 - number match the actual VLAN it works for. It's really good
00:27:54 - practice. It avoids a lot of confusion, but this is the command that
00:27:57 - actually tells the router that Fast Ethernet 0/0.10
00:28:01 - responds for packets to VLAN 10. I could make that sub-interface,
00:28:05 - you saw the range, 4 billion 200 million if I wanted to.
00:28:08 - But this is what ties it to VLAN 10. Now, I'll hit the up arrow,
00:28:15 - shoot back over here, do 10.1. So now, if I hit Control-Z
00:28:22 - and do a show IP interface brief, I have a router here that now
00:28:27 - has interfaces for VLAN 1, that's Fast Ethernet 0/0,
00:28:31 - VLAN 10 and VLAN 2 with a respective IP address
00:28:36 - from that VLAN. Now, all I have to do is assign, and I lost
00:28:41 - my dotted lines there when I changed network diagrams. I
00:28:45 - I need to assign this PC from VLAN 10, an IP address from
00:28:49 - that VLAN which is 10.50, I typed it out there, and to put
00:28:53 - its default gateway to point, chooo, right there to
00:28:58 - 192.168.10.1. This PC over here in VLAN 20
00:29:02 - will be assigned an IP address from that VLAN and point
00:29:07 - to this, choooo,
00:29:10 - as its default gateway, 20.1. So when these ping each
00:29:14 - other, now you can see why it got the name router-on-a-stick, this
00:29:18 - message will cross a trunk link through the trunk link, down
00:29:22 - through the switch, over to the router, into the interface responding
00:29:26 - for VLAN 20, 20.1. It will do some loop around
00:29:29 - in that router, come back out on VLAN 10. It's tagged as being
00:29:33 - part of VLAN 10, pass these trunks, whoops, make a U-turn
00:29:36 - because it missed the, the exit point, and come down and ping
00:29:39 - this device in VLAN 10. Now, with all this in place, I want to
00:29:44 - make sure I answer the big why. Why on earth are we going
00:29:49 - through all of this hassle to create these VLANs and segment
00:29:52 - these computers and all that? Well, think back to our original
00:29:55 - point of why we have VLANs in the first place. Number one is
00:29:59 - to reduce the size of our networks. The more PCs you have on a network,
00:30:04 - if everything stays on VLAN 1, the broadcast amount keeps
00:30:07 - getting greater and greater and greater. So these PCs will
00:30:10 - start flooding the network with broadcasts. So by breaking
00:30:13 - them into VLAN 10 and VLAN 20, all the broadcasts for
00:30:17 - VLAN 10 stay on VLAN 10 and VLAN 20 stays on
00:30:20 - VLAN 20.
00:30:22 - The second reason why is as soon as I have them going through
00:30:25 - a router, and we haven't talked about how to do this yet, but we
00:30:28 - can do it and we'll do it later in the series, is we can set up a
00:30:32 - access list that prevents VLAN 10 computers from reaching
00:30:37 - VLAN 20. I can set an access boundary to say that maybe
00:30:42 - only these computers could cross that boundary or, or this computer
00:30:45 - during this certain time of day can access that but, you know,
00:30:48 - other times of the day can't. There's a lot you can do with access
00:30:51 - control and access list. And as soon as you put things in separate
00:30:54 - VLANs and route between them, that becomes an option. Without
00:30:58 - it, you have no hope for security between those two devices
00:31:01 - on the same VLAN. So at that point,
00:31:04 - we now have the sub-interfaces configured on the router. Let
00:31:08 - me go back. I mentioned I was going to talk about this. To the
00:31:11 - message that it, it brought up, it says, if the interface doesn't support
00:31:14 - baby giant frames, maximum MTU of the interface has to be
00:31:18 - reduced by 4 bytes on both sides of the connection to properly
00:31:21 - transmit or receive large packets. Please refer to documentation
00:31:25 - and so on. What that means is normally on a
00:31:30 - ethernet network, the biggest packet you can send is 1500
00:31:35 - bytes. That is the largest packet size that you can. But when
00:31:39 - you slip a shim, remember the tag, you put a little shim,
00:31:44 - a 4-byte shim on a trunk link to identify what VLAN it belongs to,
00:31:50 - you've actually increased the packet size to 1504 bytes.
00:31:53 - That's what people consider a, it's kind of
00:31:58 - a funny name, a baby giant. It's, it's not, it's not way big, it is just kind of
00:32:03 - big. It's bigger than what you normally send. So it's saying the router
00:32:06 - and the switch has to be able to support that, and in this case
00:32:09 - they do. Since they're both CISCO, as soon as you set this up, they automatically
00:32:12 - adjust the maximum transmission unit down to 1496 bytes.
00:32:17 - So if you add the tag back in, it, it goes to that maximum
00:32:21 - ethernet it can handle which is 1500 bytes. So that's what
00:32:24 - that message is all about.
00:32:26 - Now, I need to go to the other side in order to make this work
00:32:29 - and configure switch number 1 with a trunk link going over
00:32:34 - to that router.
00:32:36 - So let me bring up my console connection to that switch, switch 3.
00:32:40 - I got it right here. And I'm going to type in, let's do a show CDP neighbors,
00:32:45 - and we can see that router 2 is attached to Fast Ethernet 0/4,
00:32:49 - and I can see that, that connection is there.
00:32:53 - What I'm going to do is go under that interface, interface Fast Ethernet 0/4
00:32:56 - and do a switch port mode trunk, which
00:33:02 - converts it over from an access port over to a trunk, thus matching
00:33:05 - my little red T that I have on the line there. That is now
00:33:08 - trunking so that all the VLAN traffic will go to that router.
00:33:11 - Now, what I have left to do is to attempt to ping from this
00:33:17 - PC. Let's, let's ping and see if we can reach that sub-interface
00:33:20 - on the router 2. Then I'd like to start pinging into other
00:33:25 - VLANs because since router 2 is a router, it will be able to
00:33:28 - route us in Fast Ethernet 0/20 and then it can come
00:33:32 - right back out, you know, Fast Ethernet 0/0 into VLAN 1,
00:33:36 - or it could come out Fast Ethernet 0/10 and reach
00:33:39 - VLAN 10 devices over here. So let's, let's try that. I'm going to bring
00:33:44 - up my connection. This is the PC. I'll do that ipconfig.
00:33:48 - This is the 20.20 PC that is in VLAN 20. Let's
00:33:52 - see if we can ping our default gateway, 192.168.20.1.
00:33:55 - By the way, if you're curious, I removed that
00:33:58 - layer 3 switch configuration during one of the, the breaks
00:34:02 - in my recording, and you can see that I can ping 192.168.20.1,
00:34:05 - which is my default gateway, which is
00:34:09 - the router-on-a-stick.
00:34:11 - Now, I'm going to try and ping 192.168.10.1 which is
00:34:15 - the IP address of the
00:34:19 - other sub-interface through the router, not just to the router.
00:34:23 - So I'm going to do 10.1, hit enter, and sure enough we're getting there.
00:34:26 - Let's do this, let's ping 192.168.1.1,
00:34:30 - which is a IP address over on VLAN 1, but it's
00:34:39 - not going to work.
00:34:42 - I think of these things too late. The reason why it's not going to work,
00:34:45 - here again this is the same exact thing that happened with
00:34:48 - the layer 3 switching. Let's do a packet trace here. When
00:34:51 - I ping 192.168.1.1,
00:34:54 - it comes to its default gateway and says, oh, 20.1, you are received.
00:34:58 - Let me send you out onto VLAN 1. So it goes out, you know, comes
00:35:02 - out of here, on to VLAN 1, comes up, it's actually reaching
00:35:06 - 1.1 which is this router up here, and when the router
00:35:09 - gets it, it's going, who's 192.168.1.20? Meaning
00:35:13 - I don't have a route for 192.168.1.20.
00:35:17 - Let me, let me actually take you over to router 1.
00:35:22 - I'm just going to step this up a big level right here. I'm going to go to
00:35:26 - router 1, oh!
00:35:30 - I have an old, old access server where I actually have to clear lines multiple times,
00:35:34 - and sometimes it just does that and gives me a bunch of errors. Alright, there we go.
00:35:39 - So we've got router 1. I'm going to do a show IP route on
00:35:43 - router 1.
00:35:45 - Now, you can see that it knows about 192.168.1.0,
00:35:48 - .2.0, and.3.0 because
00:35:52 - it's learned about this via RIP. It's learned about this because it's a
00:35:55 - connected interface. So what I would like to do is I would like to
00:36:00 - add a static route on router 1 that tells it about the
00:36:05 - 192.168.20 subnet, the one that we just
00:36:10 - created over here in VLAN 20. And I'm going to say to reach that
00:36:13 - that subnet, use the next hop IP address of 1.2, which it can
00:36:16 - get to, which is the router-on-a-stick which is able to route
00:36:19 - to VLAN 20. So here's how that's going to look. Go on to router 1,
00:36:23 - do IP route 192.168.20.0.
00:36:27 - That's the subnet we're trying to reach, the new VLAN.
00:36:30 - 255.255.255.0 and our next hop IP address
00:36:34 - will be 192.168.1.2 which is the
00:36:37 - IP address right here of router 2.
00:36:41 - Enter. So at this point, I should at least be able to ping 192.168.20.1,
00:36:44 - which is the default gateway
00:36:47 - on router 2, to reach VLAN 20. And sure enough I am.
00:36:51 - So now let's jump back here. You can see the, the ping was just
00:36:55 - failing for 1.1.
00:36:57 - Hit the up arrow, try it one more time, and now we are successful.
00:37:01 - The reason I wanted to do that, and I wanted to make sure that
00:37:04 - ping is working, is because I want to do a trace route,
00:37:09 - trace route to 192.168.1.1.
00:37:12 - Watch what's going to happen here. Oh, stupid Windows Vista.
00:37:19 - It turns on
00:37:24 - name resolution for trace route. Where is it? Right there, -d.
00:37:29 - Do not resolve addresses to names. So I'm going to do a trace route,
00:37:37 - trace route -d 192.168.1.1.
00:37:41 - Otherwise, it just takes forever because it's saying, what name,
00:37:43 - you know, belongs to 192.168.1.1?
00:37:46 - So I do that and right there, look at that. It shows
00:37:49 - where you, where you're going to. First hop, 192.168.20.1.
00:37:53 - That's our router-on-a-stick. Second hop
00:37:56 - is there. So that proves that we're going through our
00:38:00 - router-on-a stick to get there rather than just being able to get
00:38:03 - directly there, and I, I think you saw it just based on the pings and
00:38:06 - tests I was doing that you're not able to, to ping from a
00:38:09 - VLAN without router capabilities. So that is, that is a router-on-a-stick.
00:38:13 - And what I'm planning on doing is putting up this VLAN
00:38:16 - screen and keeping these machines permanently in VLAN 10
00:38:20 - and VLAN 20. Now this machine I'm not really going to
00:38:24 - test in this one, because like I said it's the one that I'm recording on.
00:38:26 - If I change its IP address, things will start blowing up.
00:38:29 - But that, that will, I'll, I'll reconfigure before the next video, and
00:38:33 - it will be our second host that is able to ping between the
00:38:37 - two VLANs and between the rest of the network.
00:38:41 - Forgive me, I know we went a little longer in that video, but
00:38:43 - it was good stuff. It really puts all the VLAN concepts
00:38:47 - together in, into what VLANs are designed to do.
00:38:51 - So to wrap this series, this mini series on VLANs and
00:38:55 - and VTP up, we walked through and enhanced our network. We
00:38:58 - added a few switches. We configured trunking. We set up VTP
00:39:02 - to replicate the VLANs, and then we configured the VLANs
00:39:05 - themselves, VLAN 10, 20 and 30 to replicate between
00:39:08 - the switches. In this video, we assigned those switchboards to
00:39:12 - their respective VLANs, 10 and 20 in this case, and then
00:39:15 - configured routing on the VLANS using a router-on-a-stick.
00:39:19 - Now, as I'm going through the series, each concept is building
00:39:22 - upon the last, so we're gonna keep the VLANs there throughout the rest
00:39:25 - of the series. It will help us get comfortable with them and also give us
00:39:29 - more that we're able to do with our network topology. I hope
00:39:33 - this has been informative for you, and I'd like to thank you for viewing.